Anomaly detection with diagnosis in diversified systems using information flow graphs

Frédéric Majorczyk; Eric Totel; Ludovic Mé; Ayda Saïdane

doi:10.1007/978-0-387-09699-5_20

Anomaly detection with diagnosis in diversified systems using information flow graphs

Frédéric Majorczyk, Eric Totel, Ludovic Mé, Ayda Saïdane

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

Original language	English
Title of host publication	Proceedings of The Ifip Tc 11 23rd International Information Security Conference
Subtitle of host publication	IFIP 20th World Computer Congress, IFIP SEC'08
Publisher	Springer New York
Pages	301-315
Number of pages	15
ISBN (Print)	9780387096988
DOIs	https://doi.org/10.1007/978-0-387-09699-5_20
Publication status	Published - 1 Jan 2008
Externally published	Yes

Publication series

Name	IFIP International Federation for Information Processing
Volume	278
ISSN (Print)	1571-5736

Keywords

Anomaly detection
Anomaly diagnosis
COTS diversity
Design diversity
Graph similarity

Access to Document

10.1007/978-0-387-09699-5_20

Cite this

Majorczyk, F., Totel, E., Mé, L., & Saïdane, A. (2008). Anomaly detection with diagnosis in diversified systems using information flow graphs. In Proceedings of The Ifip Tc 11 23rd International Information Security Conference: IFIP 20th World Computer Congress, IFIP SEC'08 (pp. 301-315). (IFIP International Federation for Information Processing; Vol. 278). Springer New York. https://doi.org/10.1007/978-0-387-09699-5_20

Majorczyk, Frédéric ; Totel, Eric ; Mé, Ludovic et al. / Anomaly detection with diagnosis in diversified systems using information flow graphs. Proceedings of The Ifip Tc 11 23rd International Information Security Conference: IFIP 20th World Computer Congress, IFIP SEC'08. Springer New York, 2008. pp. 301-315 (IFIP International Federation for Information Processing).

@inproceedings{67929d2b67ac4cad82d046105994564b,

title = "Anomaly detection with diagnosis in diversified systems using information flow graphs",

abstract = "Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.",

keywords = "Anomaly detection, Anomaly diagnosis, COTS diversity, Design diversity, Graph similarity",

author = "Fr{\'e}d{\'e}ric Majorczyk and Eric Totel and Ludovic M{\'e} and Ayda Sa{\"i}dane",

year = "2008",

month = jan,

day = "1",

doi = "10.1007/978-0-387-09699-5\_20",

language = "English",

isbn = "9780387096988",

series = "IFIP International Federation for Information Processing",

publisher = "Springer New York",

pages = "301--315",

booktitle = "Proceedings of The Ifip Tc 11 23rd International Information Security Conference",

}

Majorczyk, F, Totel, E, Mé, L & Saïdane, A 2008, Anomaly detection with diagnosis in diversified systems using information flow graphs. in Proceedings of The Ifip Tc 11 23rd International Information Security Conference: IFIP 20th World Computer Congress, IFIP SEC'08. IFIP International Federation for Information Processing, vol. 278, Springer New York, pp. 301-315. https://doi.org/10.1007/978-0-387-09699-5_20

Anomaly detection with diagnosis in diversified systems using information flow graphs. / Majorczyk, Frédéric; Totel, Eric; Mé, Ludovic et al.
Proceedings of The Ifip Tc 11 23rd International Information Security Conference: IFIP 20th World Computer Congress, IFIP SEC'08. Springer New York, 2008. p. 301-315 (IFIP International Federation for Information Processing; Vol. 278).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Anomaly detection with diagnosis in diversified systems using information flow graphs

AU - Majorczyk, Frédéric

AU - Totel, Eric

AU - Mé, Ludovic

AU - Saïdane, Ayda

PY - 2008/1/1

Y1 - 2008/1/1

N2 - Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

AB - Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

KW - Anomaly detection

KW - Anomaly diagnosis

KW - COTS diversity

KW - Design diversity

KW - Graph similarity

U2 - 10.1007/978-0-387-09699-5_20

DO - 10.1007/978-0-387-09699-5_20

M3 - Conference contribution

AN - SCOPUS:48249102627

SN - 9780387096988

T3 - IFIP International Federation for Information Processing

SP - 301

EP - 315

BT - Proceedings of The Ifip Tc 11 23rd International Information Security Conference

PB - Springer New York

ER -

Majorczyk F, Totel E, Mé L, Saïdane A. Anomaly detection with diagnosis in diversified systems using information flow graphs. In Proceedings of The Ifip Tc 11 23rd International Information Security Conference: IFIP 20th World Computer Congress, IFIP SEC'08. Springer New York. 2008. p. 301-315. (IFIP International Federation for Information Processing). doi: 10.1007/978-0-387-09699-5_20

Anomaly detection with diagnosis in diversified systems using information flow graphs

Abstract

Publication series

Keywords

Access to Document

Fingerprint

Cite this